Quantum authentication of classical messages 
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Although key distribution is arguably the most studied context on which to apply quantum cryp- 
tographic techniques, message authentication, i.e., certifying the identity of the message originator 
and the integrity of the message sent, can also benefit from the use of quantum resources. Classi- 
cally, message authentication can be performed by techniques based on hash functions. However, 
the security of the resulting protocols depends on the selection of appropriate hash functions, and on 
the use of long authentication keys. In this paper we propose a quantum authentication procedure 
that, making use of just one qubit as the authentication key, allows the authentication of binary 
classical messages in a secure manner. 

PACS numbers: 3.67.Dd, 03.67.Hk, 03.67.Lx. 



I. INTRODUCTION 

As computer networks spread worldwide with users ac- 
cessing them via millions of different terminals, informa- 
tion protection becomes more and more relevant. This 
challenge of providing adequate information protection 
is closely related to the basic tasks of cryptography: au- 
thentication and secrecy |^. During the last decade 
it has been shown that information has a physical, not 
only mathematical, dimension and, as such, can be stud- 
ied making use of Quantum Theory. This has given birth 
to the research field known as Quantum Information The- 
ory (QIT) (see, e.g., [|, |, §). Quantum Cryptography 
(QC), first introduced by Wiesner [g[ and Bennett and co- 
workers 0, is, with Quantum Computation, one of the 
most remarkable applications of QIT. The information 
security provided by QC is based on fundamental prop- 
erties of Quantum Mechanics, instead of on unproven as- 
sumptions concerning the computational complexity of 
some algorithms (as it is the case of most of Classical 
Cryptography) , and therefore brings a whole new dimen- 
sion to security in communications. Over the last few 
years there have been several experimental demonstra- 
tions of the feasibility of QC |, |, |ll|, |l| 
which seem to indicate that the prospects for its future 
mainstream use are good. 

QC involves several topics, and although Quantum 
Key Distribution (QKD) [s) is arguably the most 

studied one, the necessity to combine QKD protocols 
with classical authentication methods has motivated re- 
cent investigations on the achievement of key verification 
1^, |20| and user authentication |2l| |2|, |3|, |^ |2|, |2|l in 
a quantum-mechanical secure manner. Key verification 
consists of assuring that the parties of a key-distribution 
scheme are the legitimate ones, and that the key estab- 
lished is authentic. User authentication (also called user 
identification) allows a communicator to prove his/her 
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identity, often as the first step to log into a system. One 
potential insecurity of user authentication consists of as- 
suming that once the log-in process has concluded, the 
transmission remains authentic for the rest of the com- 
munication. This assumption strongly depends on the 
level of security provided by the channel used. Classi- 
cal Cryptography solves this weakness employing mes- 
sage authentication codes (MACs), which enable parties 
owning a shared secret key to achieve data integrity. A 
MAC, also known as a data authentication code, is essen- 
tially a scheme specified by two algorithms: an encoding 
or tagging algorithm (possibly stochastic), and a decod- 
ing or verification algorithm. When the sender (Alice) 
wants to send a certified message to a recipient (Bob), 
she computes, employing the encoding algorithm, a tag 
(as a function of the message and a secret key previously 
shared) and appends it to the message. On the reception 
side. Bob verifies the authenticity of the tag by means of 
the specified decoding procedure, which depends on the 
message, tag, and shared key. This algorithm returns a 
bit indicating when Bob must regard the message as au- 
thentic and accept it as coming from Alice, and when 
he must discard it. Wegman and Carter ^ de- 
scribed a message-authentication scheme whose security 
is information-theoretic, rather than based on computa- 
tional assumptions. Their technique uses a hash function, 
selected from a Universal Hash Family, to compress the 
message to be certified into a smaller string of bits. Then 
this string is encrypted to produce the tag. 

Recently, Barnum has addressed the problem of 
authenticating quantum messages. In his protocols the 
authentication key is used to select a quantum error- 
detection code (QEDC) from a given set. A quantum 
state is encoded in one of these codes, and the state is 
rejected as inauthentic if an error is detected by the re- 
cipient. The geometry of the set of QEDCs is chosen such 
that it ensures that the probability of undetected forgery 
is less than the classical bound (inverse of the square root 
of the number of keys). 

In this paper we study how the use of quantum re- 
sources can improve the authentication of classical mes- 
sages. Specifically, we present a broad class of quan- 
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turn authentication schemes that, unhke classical MACs, 
which need at least two secret bits to achieve a probabil- 
ity of forgery less than one, provide secure data integrity 
when only one-qubit key is shared between the commu- 
nicating partners. 

The paper is organized as follows. In Section II we de- 
scribe a class of quantum message-authentication codes 
that requires just one qubit as the key to authenticate 
binary messages. In Section [II we analyze the secu- 



rity of these protocols against various attacks of increas- 
ing severity. First, we analyze the no-message attack, 
in which the sender has not initiated the transmission 
(there is no message in the channel), and the adversary 
(Eve) attempts to prepare a message with the goal of 
passing Bob's verification test. Then, we analyze more 
subtle attacks, those in which Eve has access to what 



is transmitted. We also discuss, in Section |I|, how the 
security of the protocol is modified if the authentication 
keys are reused. Finally, we present our conclusions in 



Section IV 



term in (|l])), depending on the state of Alice's qubit of 
the shared key, a unitary operation, Us, on the quantum 
state \(f>i). This could also be accomplished with a pre- 
viously shared classical bit acting as a key. The singlet 
can be seen as a superposition of all possible classical key 
states. 

After performing this tagging operation, the state of 
the global system (Alice-|-Bob-|-message) is 



■^{\01)AB\<l>^)^mABU£\c|,.,)). (2) 

Using the density operator formalism, the state of the au- 
thenticated message that Alice sends to Bob can be ob- 
tained from (|^) performing the partial trace over the Al- 
ice-|-Bob variables. In density operator terms, this state 
is given by 



:{Pi + Usp^U. 



(3) 



II. QUANTUM MESSAGE-AUTHENTICATION 
CODES 



Suppose Alice needs to send a certified classical mes- 
sage to Bob. The goal is to make Bob confident about the 
authenticity of the message and sender. The protocols 
described in this section require a quantum channel, so 
the first task consists of assigning a quantum state to each 
possible classical message. This decision needs no secrecy 
and can be made openly. We will discuss the simple case 
of binary messages (one-bit long). Thus, there are only 
two possible messages, '0' and '1', to which we assign the 
pure quantum states \4>q) and \4>i), respectively. In or- 
der to guarantee Bob's perfect extraction of information 
from these states and to make authentication possible, 
they cannot be selected arbitrarily, but must be orthogo- 
nal, {4>i\4>j) = ^ij, with i,j e {0, 1}; and must contain, as 
in any authentication method, some tag information to 
be checked by Bob. We will assume that they belong to a 
two-qubit state space (a four-dimensional Hilbert space) 
£. This can be seen as if the first qubit carried the mes- 
sage information, and the second qubit carried the tag. 
As for the secret authentication key, we will assume that 
Alice and Bob share a two-qubit maximally entangled 
state: Each owns one qubit of a publicly-known singlet 
state \'4))ab = 75(|01)ab - |10)Ai3). 

The authentication procedure goes as follows: When 
Alice wants to send a certified bit j, she prepares two 
qubits in the state and performs the following encod- 
ing operation on her part of \iP)ab and on the message: 



Ea£ = |0)(OUlf + |l)(lU[/£, 



(1) 



where Us is some publicly-known unitary quantum oper- 
ation. Basically, the result of this encoding operation can 
be seen as performing (second term in (^) or not (first 



where pi = \(f)i){(t>i\. On the reception side. Bob decodes 
the information sent by Alice performing the decoding 
operation 



Dbs = 



^uI + \1){1\bIs 



(4) 



on his part of \'ip) ab and the message received. Finally, 
Bob performs an orthogonal measurement on the space 
£. Since this space is four-dimensional, and we have im- 
posed the states |(/)o) and |0i) to be orthonormal, we 
can perform this measurement on the orthonormal set 
i — 0,...,3}, where |02) and j^a) are two extra 
orthonormal states. If the result of such a measurement 
is one of the two first elements of the set. Bob should 
assume that no forgery has taken place, and therefore 
obtain the classical message sent to him. If this is not 
the case, he rejects the message received. 



III. SECURITY ANALYSIS 

The class of quantum protocols of the previous section 
provides perfect deterministic decoding, i.e., the quan- 
tum key \'4>)ab and the quantum ciphertext p' uniquely 
determine the classical message sent, pi. This means that 
these protocols would fail only if Bob accepted a message 
as an authenticated one when that is not the case (due to 
the unnoticed action of Eve). When dealing with forgery 
strategies we must consider two main types of attacks: 
The no-message attack, and the message attack. The 
first one is the simplest: Before Alice's sending any mes- 
sage to Bob, Eve attempts to prepare a quantum state 
that passes the decoding algorithm. The message attack 
is more subtle and severe: Eve could access authentic 
messages transmitted, and try to produce a forged mes- 
sage based on the information gained. The purpose of 
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this section is to analyze both families of attacks, and ob- 
tain the class of unitary operations that makes them 
unsuccessful. In the following discussion we will consider 
the ideal scenario of an error-free quantum channel. 

A. No-message attack 

Suppose Eve prepares a normalized pure quantum 
state |e) e £ and sends it to Bob trying to imperson- 
ate Alice. In the most general case, this inauthentic pure 
quantum message can be described as |e) = X]i=o 
When Bob receives this quantum message he cannot 
know that it comes from a forger, so he follows the pro- 
cedure explained in the previous section: He performs a 
decoding operation and then an orthogonal measurement 
over the set i — 0, ... ,3}. Before this measurement 

takes place, the state of the message can be described by 
p'e — (pe + uIpeU£)/2, where ps = |e)(e|- As we have 
seen. Bob rejects the message if the result of his mea- 
surement is one of the last two elements of this basis; 
therefore, the probability Pf that Eve deceives Bob is: 

i=0 1=0 

This quantity depends both on Eve's strategy and on 
the quantum operation Ug. The normalization of |e) and 
the unitarity of Us make both terms on the right side of 
to be less or equal than 0.5. The first term depends 
entirely on Eve's decision, and, to be 0.5, 62 and 63 must 
be zero. We will assume that Eve selects |e) such as 
this condition is fulfilled. Let us focus on the second 
term, 1/2 ^|^q |(e|J7£:|(/)i)p. First, let us write the matrix 
representation of Us in the block form 



2. If \M^fM°^\ ^ 0, the maximum of (0) is strictly less 
than 0.5 when 

(8) 

where the real variables x,y and z are |MqP — 
|M(}|2, 2\MlMl\ and \Ml\^ , respectively. 

Note that, in both cases, Alice and Bob can select Us 
such that its A/q block makes P/ < 1 independently of 
Eve's choice of |e). 

Finally, in this subsection we have assumed that Eve 
prepares a pure state |e); however, she could have pre- 
pared a general mixed state pE — 'Ylii=QVi\^i){^iV with 
^Y^i=Q'Pi — 1- From what we have shown in this subsec- 
tion, it is straightforward to see that if Us is selected sat- 
isfying the conditions above, then also in this case P/ < 1. 
In fact, we can further show that, with the appropriate 
selection of Us^ Pf can be made at most 1/2. Accord- 
ing to (^), Pf can be written as Pf = Tt{p'^P), where 

p'e = (pe + uIpeUs) /2 and P = \(t>o){^o\ + \(t>i){<Pil 
Using the properties of the trace operator, 

Pf = Tr (peQ) /2, (9) 

where Q = UsPU^ -|- P is a positive operator known to 
Eve, and with maximum eigenvalue Amaa; > 1- Therefore, 
the maximizing pE is any eigenvector corresponding to 
Amaa;, and thus Pf — Xmax/2. Finally, it is easy to see 
(see, e.g., Q) that choosing Us such that it takes P to its 
orthogonal complement makes Xmax = 1, and therefore, 
as predicted, P/ = 1/2. 



Us 



Mo Ml 
M2 M3 



(6) 



B. Message attack 



where the Mi are 2x2 complex matrices. With this 
notation, the second term in the right side of (H) can be 
written as 



I [(IMop-lMip)leop-f 

2\M^M°^\\eoW^~\eo\^cosdE + \M^\^] , (7) 

where M^ represents the j-row of the i-block of Us , and 
Be is an angle that depends entirely on Eve's choice of 
her state. Eve's goal is to make Pf as big as possible, so 
the worst case for Alice and Bob occurs when Eve chooses 
9e = 27rfc with k any integer, and a |eo| that maximizes 
(0) for a given Us. We can distinguish between two cases: 

1. li\M^M°^\ =0, the maximum of M) is strictly less 
than 0.5 when \M^\^ < 1 and \M^y < 1. 



As we have seen, this is a more subtle and severe class 
of attacks. Instead of directly forge a quantum message 
and send it to Bob, Eve could wait for Alice's original 
messages and try to manipulate them. Thus, Eve's goal 
is to convert authentic messages into others passing Bob's 
test. In the simple case we are dealing with (binary mes- 
sages), this implies converting |(/)o) into and vice 
versa. 

In order to simplify the analysis, and without loss of 
generality, we will distinguish between two types of mes- 
sage attacks. In the first one. Eve, based on the knowl- 
edge of all the public aspects of the quantum authen- 
tication scheme used, determines a quantum operation 
and applies it to any message sent by Alice. This quan- 
tum operation can be described by a trace-preserving 
completely-positive (TPCP) map. In the second class of 
attacks. Eve also tries to extract information, by means 
of the appropriate measurement of the message in the 
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channel, that allows her to prepare a different message 
that Bob regards as authentic. 



1. TP CP map 

Consider that Alice sends to Bob a quantum message 
with i g {0, 1}, and Eve performs an arbitrary 
TPCP map, A^, on it. The new state in the channel 
is p'^ — M{p'), with p' given by (||). Eve chooses M 
such that the decoding procedure performed by Bob on 
the resulting state lead to the state \(f>j), with j £ {0, 1}, 
and j ^ i. Owing to the pure character of the states |0o) 
and this can only be done with certainty if is a 
unitary operation, that we will write asUs- For this kind 
of operation, the probability, P'f{i), of Eve achieving her 
goal is where p^, Bob's decoded state, is 



Pe = \ (uEP^ul + uIUeUsp^U^uIUs 
with Pi — Therefore, 



(10) 



Pfii) = ^m\UE\c|^^)\^ + muluEUsm')- (n) 

If Alice prepares the state with probability pt, the 
overall probability of, employing a TPCP, substituting 
an authentic message with a different one that passes 
Bob's test is P'j = ^iPiP'f{i)- This probability is one if 
Ue simultaneously satisfies, up to some arbitrary global 
phase factors, the following two pairs of conditions: 



\(I>j)^Ue\^^), 



and 



^uIUeUsI^,) 



(12) 



(13) 



y i,j € {0,1}, with i j. The orthogonality between 
\(po) and l^i) allows Eve to always fulfill one of the two 
pairs of conditions independently of the particular Us 
employed by Alice and Bob. Let us assume that Eve se- 
lects Ue such that (^2|) is satisfied. This selection makes 
Ue to have, in the orthonormal base {li^i); i = 0, . . . , 3}, 
the following block representation: 



_ 
~ ' 7\ff 



(14) 



with Mq = e^°'S{(5)ax, where a is an arbitrary phase, Gx 
is the standard Pauli matrix, and 5'(/3) is a phase-shift 
operation, whose matrix representation is 



5(/3) = 





pip 



and is any 2x2 unitary matrix. Now, if 

we further demand the fulfillment of (|l^), the ma- 
trix elements of Us and Ue must obey {4>k\Us\4>i) = 
Y.LMUE\4>i){4>i\Us\ct'j) e {0,..., 31. With the 
notation of Ue introduced in equation (|l4|), this im- 
plies that M§,M^,M^ and M^, where Mf represents 
the j-column of the z-block of Us, must satisfy Mq = 
e^''SiS)axM^ and, M°'' = or = e'^M^, where 
7, 6 and x are such that Us is a unitary operation. If 
Alice and Bob choose Us such that all these requirements 
are not verified, then the probability of successful tam- 
pering will be strictly less than one, independently of 
Eve's TPCP map. 



2. Measurement 

Let us assume now that, instead of performing a pre- 
determined quantum operation on the message sent by 
Alice, Eve makes a measurement on it trying to gain in- 
formation about the key. If she were able to collapse the 
state of the key in a known unentangled pure state, she 
could throw away Alice's message and prepare and send 
to Bob an unauthentic new one that would pass his test 
with certainty. Since Eve knows how the protocol works, 
she would achieve this if she could distinguish perfectly 
between the two terms on the right-hand side of (|^). 

In order to avoid this attack, Alice and Bob must 
choose Us such that the set of states {\4>i), Us\(l)i)}, with 
i = 0, 1, is not orthogonal. Owing to the orthogonality 
of |0o) and |0i), this requirement can be rewritten as 
{(j)i\Us\4>j) ^ for, at least, one i and j, with i,j G {0, 1}. 
With the block notation introduced in previous sections, 
this condition can be expressed as |Mq | > or |Mq | > 0. 
Although no secrecy is necessary for secure authentica- 
tion, note that if {(jjilUslfj)]) 7^ 0, with i ^ j , the quantum 
authentication scheme also provides, in some sense, data 
encryption, since there is a probability bigger than zero, 
of Eve not determining which message Alice sent. 



C. Discussion 

MACs are used to detect any attempt to modify the 
transmitted data by an undesired third party. In this 
section we have concentrated on several types of attacks 
which, we believe, are the most demanding. We have 
shown that, in order to avoid the forgery strategies stud- 
ied, Alice and Bob should agree to choose Us such that 
the following conditions are satisfied: 

1. If lAfoMo^l = 0, then \M^\^ < 1 and \M^\^ < 1. 

2. If iMo^Mg^l 7^ 0, then equation (||) must be verified. 



(15) 



3. MqO ^ e''^S{e''^)(7xM^, or M°h4^ ^ and ^ 

4. |AfO| > or |M(}| > 0. 
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Of these four conditions, it is straightforward to see, 
however, that the last one, obtained in order to avoid the 
determination of the key by measurement, is redundant, 
since the fulfiUmcnt of the third condition leads to the 
fourth one. 

After examining the three remaining conditions, two 
questions arise: (i) Can a unitary operation simultane- 
ously fulfill these three restrictions? and, (ii) If the an- 
swer is yes, what is the optimum Uel Perhaps the easiest 
way to answer the first question is with a trivial example. 
If, for instance, = (0.5 0.5) and = (0 0), it is 
straightforward to construct a unitary operation with its 
first block equal to Mq. Moreover, it is evident that all 
the above conditions are satisfied by this matrix. As for 
the second question, it is an important open issue that 
we plan to address in the future. First one should estab- 
lish some appropriate criterion according to which obtain 
such an optimum Ug . When we analyzed no- message at- 
tacks, we showed that, selecting an appropriate Us, Pf 
can be made 1/2 regardless of Eve's strategy. Never- 
theless, it is straightforward to see that this particular 
unitary quantum operation makes one, thus making 
the protocol vulnerable. Therefore, it seems that the op- 
timization should result from a balance of the different 
forgery strategies considered. 

Finally, one interesting property of this class of quan- 
tum authentication protocols is that it provides the pos- 
sibility of reusing the authentication keys: If there is no 
forgery, then after Alice's encoding and Bob's decoding 
processes the state of the key remains intact. Thus, if 
the authentication procedure is successful, in principle 
Alice and Bob could retain the entangled key and reuse 
it in the next run of the protocol. The presence of Eve, 
however, cannot be despised. She could try to entangle 
an ancilla system with the quantum authentication key 
generating a global state of the form: 

\^)abe = a\01)AB\(l))E ~ f3\10)AB\(l)±)E, (16) 

with \4')abe & IC A, where /C and A denote the 
state spaces of the key and the ancilla systems, respec- 
tively; \(t>)E and \(t>_\_)E represent two arbitrary orthonor- 
mal states in A; and a and (3 are two arbitrary complex 
numbers satisfying jap -I- = 1. If equation ( [l^ ) is 
verified, Eve could always forge messages when the key 
is reused, just reproducing Alice's encoding process, but 
employing her ancilla as the control of the quantum op- 
eration. 

If we assume that Eve has access only to the quan- 
tum channel between Alice and Bob, which we believe is 
a reasonable assumption, then Eve could try to obtain 
( p^ ) in two different ways. She could prepare a quantum 
message and send it to Bob, or she could manipulate the 
message sent by Alice. The first possibility can be ne- 
glected, since, if Ug satisfies the conditions enumerated 
above. Eve cannot know when a run of the protocol has 
been successful. As for the second possibility, it must not 
be confused with the one previously analyzed when deal- 
ing with TPCP maps. Now Eve does not need to convert 



\(j)o) into and vice versa. She can prepare \iP)e G A 
and apply a unitary operation U£(^a of the form: 



^imOl) AB 



U£\(f>^)\10)AB)(E) 



(17) 



trying to achieve U£^Ai\(t>i)\i^) e) = (a|0j) + f3\(t>j))\(t>)E 
and t/£«^(f/£|0,)|V)B) = {lU£\cl),) + 6U£\c^,)Mi_)e, 
with i,j € {0,1}, and a,(3,"f,S some complex parame- 
ters such that -|- \(3\^ = + \S\^ = 1. If U£ is cho- 
sen such that {(j)i\U£\(f>i) ^ 0, for some i e {0,1}, then 
\(j)i) and C/^l^i) are not orthogonal for at least one value 
of i. Therefore, and since the inner product of states 
is preserved by any unitary operation, these conditions 
are impossible to fulfill. This means that equation ( |l^ ) 
cannot be achieved with certainty. 

Nevertheless, and although key recycling is in princi- 
ple possible, it should be noticed that the security of the 
authentication protocols presented may be drastically re- 
duced. As suggested in [Q, security does not depend on 
the use of entanglement, but on the possibility of detect- 
ing Eve's presence in the quantum ciphertext. As we 
have seen, these authentication schemes can detect Eve 
with a certain probability, but there is also a chance that 
Eve remains undetected. 



IV. CONCLUSION 

We have presented a broad class of quantum authen- 
tication protocols that, making use of just one qubit as 
the authentication key, allow the authentication of bi- 
nary classical messages with a probability of successful 
forgery less than one. All parties, including the forger, 
may have full knowledge about all aspects of the proto- 
col; however, it requires sharing a previous secret (in the 
form of an entangled pair of particles, or a classical bit), 
and an ideal quantum channel between the partners. 

We have described several types of possible attacks and 
shown that careful selection of the quantum transforma- 
tion performed by the communicating parties makes the 
protocol secure against these attacks. However, a further 
more extensive security analysis in a more realistic sce- 
nario (a non-perfect channel), as well as the derivation of 
the optimum U£ in such circumstances, is needed. 

Finally, we have also shown that the protocol authen- 
tication keys can be reused. However, this reduces the 
security of the protocol. 
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